On 2/9/26 4:27 PM, Lorenzo Bianconi wrote: >> On 2/4/26 5:21 PM, Lorenzo Bianconi via dev wrote: >>> Do not forward ethernet packets with unknown ether type (0x05ff) to >>> router pipeline. >> >> Hi, Lorenzo. Thanks for the patch! > > Hi Ilya, > > thx for the review. > >> >> It would be nice to have some explanation here on why we need to drop >> these early before it reaches the router pipeline. >> >> This patch may also use some test cases. > > ack, I will add it in v2 > >> >> One more thought below. >> >>> >>> Reported-at: https://issues.redhat.com/browse/FDP-1908 >>> Signed-off-by: Lorenzo Bianconi <[email protected]> >>> --- >>> northd/northd.c | 9 +++++++++ >>> northd/ovn-northd.8.xml | 5 +++++ >>> 2 files changed, 14 insertions(+) >>> >>> diff --git a/northd/northd.c b/northd/northd.c >>> index b4bb4ba6d..539567ba7 100644 >>> --- a/northd/northd.c >>> +++ b/northd/northd.c >>> @@ -5947,6 +5947,15 @@ build_lswitch_port_sec_op(struct ovn_port *op, >>> struct lflow_table *lflows, >>> return; >>> } >>> >>> + if (lsp_is_router(op->nbsp)) { >>> + ds_clear(match); >>> + ds_put_format(match, "outport == %s && eth.type == 0x%04x", >>> + op->json_key, OFP_DL_TYPE_NOT_ETH_TYPE); >>> + ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_APPLY_PORT_SEC, 150, >>> + ds_cstr(match), debug_drop_action(), op->lflow_ref, >>> + WITH_DESC("Packet with unknown ether type")); >>> + } >>> + >>> ds_clear(match); >>> ds_clear(actions); >>> ds_put_format(match, "inport == %s", op->json_key); >>> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml >>> index 279d81f35..fe1dc4dc0 100644 >>> --- a/northd/ovn-northd.8.xml >>> +++ b/northd/ovn-northd.8.xml >>> @@ -2816,6 +2816,11 @@ output; >>> </p> >>> >>> <ul> >>> + <li> >>> + For router ports, a priority 150 flow to drop ethernet packets with >>> + unknown ether type (0x05ff). >> >> This does align with what I originally reported, but seeing more cases >> of random traffic being resubmitted to all routers recently, I wonder >> if we should take a default-deny approach here and instead of dropping >> specific ethertypes that we know cannot be routed by the logical router, >> drop everything that is not arp, ip or ipv6 instead. WDYT? >> >> This could potentially be done by restricting the default forwarding >> rule in build_lswitch_destination_lookup_bmcast() to arp, ip and ipv6. > > ack, I will look into it. Do you think we should have knob to enable/disable > this behaviour?
No, I don't think so. The logical router can't route or use any of these packets, so I'm not sure what would be the case where we wouldn't want to just drop them. > > Regards, > Lorenzo > >> >> Unicast traffic generally doesn't cause any issues for OVN and we may >> let the router pipeline deal with it (drop). >> >> An example of the other type of traffic I witnessed was ethernet >> multicast traffic with dl_type=0x8918 that some network appliances are >> using for loop detection. >> >> Best regards, Ilya Maximets. >> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
